On March 19, 2019, Jeremy Grant and Ari Schwartz were quoted in Inside Cybersecurity on how industry observers say the absence of direct instructions from the White House — or appropriation of resources by Congress — raises questions about the National Institute of Standards and Technology's ability to prioritize the establishment of baseline security capabilities for the Internet of Things, a task at the heart of the Trump administration's plan to tackle botnet attacks.
"Why did NIST do the [cybersecurity framework]? Because President Obama signed an executive order saying 'you will do one.' Why is NIST doing a privacy framework? Because the White House National Economic Council told NIST 'you will do one.' Nobody has done that yet on IoT," said Grant.
Grant said the botnet report delivered by the departments of Homeland Security and Commerce to President Trump in May, in accordance with Trump Executive Order 13800, is not the same as direct instruction from the White House.
Grant questioned the wisdom of launching "yet another framework. I'm not sure that every time we've got an issue that's what we need to do."
Schwartz said a botnet profile for the CSF is on schedule for completion before the end of June, which is also in accordance with the November botnet report.
Grant noted stakeholders' appetite and support for the current direction of NIST's work on the IoT security baselines while offering measured praise for a bipartisan legislative proposal led by Senators Mark Warner (D-VA) and Cory Gardner (R-CO), along with Representatives Robin Kelly (D-IL) and William Hurd (R-TX). The bill sets a firm deadline and instructions for the completion of NIST's work toward improving the security of IoT devices procured by the federal government.
Grant said, "The Warner bill would certainly give them that specific direction that you 'shall' produce something."